Most modern applications are empowered by online services, so
application developers frequently implement authentication and
authorization. Major online providers, such as Facebook and Microsoft,
provide SDKs for incorporating authentication services. This paper
considers whether those SDKs enable typical developers to build secure
apps. Our work focuses on systematically explicating implicit
assumptions that are necessary for secure use of an SDK. Understanding
these assumptions depends critically on not just the SDK itself, but on
the underlying runtime systems. We present a systematic process for
identifying critical implicit assumptions by building semantic models
that capture both the logic of the SDK and the essential aspects of
underlying systems. These semantic models provide the explicit basis for
reasoning about the security of an SDK. We use a formal analysis tool,
along with the semantic models, to reason about all applications that
can be built using the SDK. In particular, we formally check whether the
SDK, along with the explicitly captured assumptions, is sufficient to
imply the desired security properties.

We applied our approach to three widely used
authentication/authorization SDKs. Our approach led to the discovery of
several implicit assumptions in each SDK, including issues deemed
serious enough to receive Facebook bug bounties and change the OAuth 2.0
specification. We verified that many apps constructed with these SDKs
(indeed, the majority of apps in our study) are vulnerable to serious
exploits because of these implicit assumptions, and we built a prototype
testing tool that can detect several of the vulnerability patterns we
identified.